Encryption at Rest

When using CHRT, your files are encrypted by default while at rest using AES-GCM (256-bit Advanced Encryption Standard Galois/Counter Mode).

Each file is encrypted with a unique key. All file keys are encrypted with a main key. The main key is rotated frequently and automatically.

We do not want, or expect, to ever put your data at risk of being readable by someone who doesn’t have your permission.

No Extra Copies

When you delete your data, we no longer have access to it. When you upload a file or when we generate a file for you, we store that data redundantly on multiple machines in one or more datacenters. When you request for a file to be deleted, all copies are deleted. If a service has an outage preventing the full deletion of your data - that will be shown in the user interface so that it’s clear. When you delete your data, we no longer have a copy of it.

The only stuff we keep is stuff like your basic account information. For more info, you can see our full Terms of Service and Privacy Policy.

Encryption in Transit

All traffic to and from CHRT occurs over encrypted connections known as “HTTPS” (as opposed to just “HTTP” - the extra “S” stands for “secure”). We use modern web best practices for encrypting traffic.

  • HTTPS only - we route traffic through a load balancer that automatically redirects insecure HTTP traffic to secure HTTPS traffic
  • Modern TLS - Our servers default to TLS 1.3, the newest version of the TLS protocol. They are also backwards compatible with TLS 1.2 for convenience if you’re using a somewhat old browser.
    • We don’t accept anything older than TLS 1.2, e.g. TLS 1.1
  • Modern Ciphers - since TLS allows for a choice of encryption cipher, our servers only allow modern ones…the sort that are not vulnerable to decryption
    • Here’s the specific list of ciphers we allow: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384
  • Domain level - we prevent DNS spoofing and the like by using DNSSEC (Domain Name System Security Extensions) to establish a chain of trust from the Certificate Authority to each of our hosted sites. We sign our Key using ECDSA Curve P-256 with SHA-256
    • e.g. our main site at chrt.com, our docs at docs.chrt.com, and our private API at api.chrt.com.
    • You can verify this in Google Chrome by clicking the settings button next to the url then clicking “Connection is Secure”
    • then clicking “certificate is valid” which will open a window showing our certificate details